# Google Workspace

Cube Cloud supports authenticating users through Google Workspace, which is
useful when you want your users to access Cube Cloud using single sign on. This
guide will walk you through the steps of configuring SAML authentication in Cube
Cloud with Google Workspace. You **must** be a super administrator in your
Google Workspace to access the Admin Console and create a SAML integration.

<SuccessBox>

Single sign-on with Google Workspace is available in Cube Cloud on
[Enterprise](https://cube.dev/pricing) tier.
[Contact us](https://cube.dev/contact) for details.

</SuccessBox>

## Enable SAML in Cube Cloud

First, we'll enable SAML 2.0 authentication in Cube Cloud. To do this, log in to
Cube Cloud and

1. Click your username from the top-right corner, then click <Btn>Team &
   Security</Btn>.

2. On the <Btn>Authentication & SSO</Btn> tab, ensure <Btn>SAML 2.0</Btn> is
   enabled:

<Screenshot
  alt="Cube Cloud Team Authentication and SSO tab"
  src="https://ucarecdn.com/f5ff1413-f37c-4476-afcc-0ff29e87e80a/"
/>

Take note of the <Btn>Single Sign On URL</Btn> and <Btn>Service Provider Entity
ID</Btn> values here, as we will need them in the next step when we configure
the SAML integration in Google Workspace.

## Create a SAML Integration in Google Workspace

Next, we'll create a [SAML app integration for Cube Cloud in Google
Workspace][google-docs-create-saml-app].

1. Log in to [admin.google.com](https://admin.google.com) as an administrator,
   then navigate to

   <Btn>Apps → Web and Mobile Apps</Btn> from the left sidebar.

2. Click <Btn>Add App</Btn>, then click <Btn>Add custom SAML app</Btn>:

<Screenshot src="https://ucarecdn.com/5898f666-a2b4-44b5-ae9e-03832d9966bc/" />

3. Enter a name for your application and click <Btn>Next</Btn>. You can
   optionally add a description and upload a logo for the application, but this
   is not required. Click <Btn>Continue</Btn> to go to the next screen.

<Screenshot src="https://ucarecdn.com/b8fe1ad6-6f31-42ed-908c-3e1b72a3d2f1/" />

4. Take note of the <Btn>SSO URL</Btn>, <Btn>Entity ID</Btn> and
   <Btn>Certificate</Btn> values here, as we will need them when we finalize the
   SAML integration in Cube Cloud. Click <Btn>Continue</Btn> to go to the next screen.

<Screenshot src="https://ucarecdn.com/3f046773-d2d1-424f-a8f8-b023e4896eb1/" />

5. Enter the following values for the <Btn>Service provider details</Btn>
   section and click <Btn>Continue</Btn>.

| Name      | Description                                                         |
| --------- | ------------------------------------------------------------------- |
| ACS URL   | Use the <Btn>Single Sign On URL</Btn> value from Cube Cloud         |
| Entity ID | Use the <Btn>Service Provider Entity ID</Btn> value from Cube Cloud |

5. On the final screen, click <Btn>Finish</Btn>.

6. From the app details page, click <Btn>User access</Btn> and ensure the app is
   <Btn>ON for everyone</Btn>:

<Screenshot src="https://ucarecdn.com/8e1696fa-828c-4be5-a1d8-81c7b054dadb/" />

## Enable SAML in Cube Cloud

In this step, we'll finalise the configuration by entering the values from our
SAML integration in Google into Cube Cloud.

1. From the same <Btn>Authentication & SSO > SAML 2.0</Btn> tab, click the
   <Btn>Advanced Settings</Btn> tab:

<Screenshot src="https://ucarecdn.com/5359c52e-69c1-45fa-baf2-d3bb07d72634/" />

2. Enter the following values in the <Btn>SAML Settings</Btn> section:

| Name                        | Description                                                        |
| --------------------------- | ------------------------------------------------------------------ |
| Audience (SP Entity ID)     | Delete the prefilled value and leave empty                         |
| IdP Issuer (IdP Entity ID)  | Use the <Btn>Issuer</Btn> value from Google Workspace              |
| Identity Provider Login URL | Use the <Btn>Sign on URL</Btn> value from Google Workspace         |
| Certificate                 | Use the <Btn>Signing Certificate</Btn> value from Google Workspace |

3. Scroll down and click <Btn>Save SAML 2.0 Settings</Btn> to save the changes.

## Test SAML authentication

To start using SAML authentication, use the
[single sign-on URL provided by Cube Cloud](#enable-saml-in-cube-cloud)
(typically `<YOUR_CUBE_CLOUD_URL>/sso/saml`) to log in to Cube Cloud.

[google-docs-create-saml-app]: https://support.google.com/a/answer/6087519?hl=en
